yahoo-eng-team team mailing list archive

[Sean Dague <sean@xxxxxxxxx>]

The current min libvirt is 1.2.9, so I think this isn't something we're
going to fix in master

** Changed in: nova
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1574195

Title:
  UEFI - Forbid access to /usr/share/OVMF/OVMF_CODE.fd

Status in OpenStack Compute (nova):
  Won't Fix

Bug description:
  Libvirt will use AppArmor for security in some distributions such as ubuntu.
  AppArmor profile is manipulated by virt-aa-helper.
  If user want to boot in uefi, they need to specify uefi loader path.
  But currently nova will only access to /usr/share/OVMF/OVMF_CODE.fd.
  However libvirt forbid access to /usr/share before following patch.
  https://github.com/libvirt/libvirt/commit/2f01cfdf05448513d150ff1914d3444161c531b9
  The patch was merged since livirt 1.2.19.
  Default package for older os release such as ubuntu trusty didn't merge the patch yet.

  Therefore those vm will created failed with following logs.
  Those logs occurred in compute log.
  libvirtError: internal error: cannot load AppArmor profile 'libvirt-58090233-7964-4457-9981-62ba4c488b12'

  Those logs occurred in libvirtd log
  2016-04-25 06:49:42.902+0000: 26078: error : virCommandWait:2532 : internal error: Child process (/usr/lib/libvirt/virt-aa-helper -p 0 -c -u libvirt-58090233-7964-4457-9981-62ba4c488b12) unexpected exit status 1: virt-aa-helper: error: /usr/share/OVMF/OVMF_CODE.fd
  virt-aa-helper: error: skipped restricted file
  virt-aa-helper: error: invalid VM definition

  Maybe we should add one uefi option for uefi loader path instead of static code in following link.
  https://github.com/openstack/nova/blob/master/nova/virt/libvirt/driver.py#L328

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1574195/+subscriptions